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Executive Summary 

Satellite Communications (SATCOM) play a vital role in the global 
telecommunications system. lOActive evaluated the security posture of the most 
widely deployed Inmarsat and Iridium SATCOM terminals. 

lOActive found that malicious actors could abuse all of the devices within the scope 
of this study. The vulnerabilities included what would appear to be backdoors, 
hardcoded credentials, undocumented and/or insecure protocols, and weak 
encryption algorithms. In addition to design flaws, lOActive also uncovered a 
number of features in the devices that clearly pose security risks. 

The findings of lOActive's research should serve as an initial wake-up call for both 
the vendors and users of the current generation of SATCOM technology. 
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Key Takeaways 

lOActive researchers conducted the initial phase of an internal SATCOM research 
project from October-December 2013. This phase focused on analyzing and reverse 
engineering the freely and publicly available firmware updates for popular SATCOM 
technologies manufactured and marketed by Harris, Hughes, Cobham, Thuraya, JRC, 
and iridium. The key takeaways from this phase include: 

• Multiple high risk vulnerabilities were uncovered in all SATCOM device 
firmware studied by lOActive. These vulnerabilities have the potential to allow 
a malicious actor to intercept, manipulate, or block communications, and in 
some cases, to remotely take control of the physical device. 

• lOActive is currently working with government CERT Coordination Center and 
the vulnerable vendors to help remediate all security findings uncovered in this 
phase of lOActive research. 

• Specific details needed to replicate or test for the vulnerabilities discovered in 
this phase will not be disclosed publicly until the latter half of 2014-allowing 
time for the relevant fixes to be developed and deployed. 

• The classes of vulnerabilities uncovered by lOActive researchers included 
hardcoded credentials, undocumented protocols, insecure protocols, and 
backdoors. 

• lOActive recommends that SATCOM manufacturers and resellers immediately 
remove all publicly accessible copies of device firmware updates from their 
websites if possible and strictly control access to updates in the future. While 
this is not a component of a remediation strategy, it may hinder other entities 
from uncovering the same or future vulnerabilities. 
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Introduction 

During the last few months we have witnessed a series of events that will probably be 
seen as a tipping point in the public's opinion about the importance of, and need for, 
security. The revelations of Edward Snowden have served to confirm some theories 
and shed light on surveillance technologies that have long been restricted. 

When it comes to security, it is no longer acceptable to rely on perceptions. It is time 
to clearly define all of the technical elements required to properly determine if a 
system is secure or insecure. lOActive is committed to achieving this goal by 
analyzing the security posture of the entire supply chain, from the silicon level to the 
upper layers of software. 

Satellite Communications (SATCOM) play a vital role in the global 
telecommunications system. We live in a world where an ever-increasing stream of 
digital data is flowing between continents. It is clear that those who control 
communications traffic have an upper-hand. The ability to disrupt, inspect, modify, or 
re-route traffic provides an invaluable opportunity to perform surveillance or conduct 
cyber-attacks. 

Terrestrial network infrastructures are subject to physical limitations and simply cannot 
meet the needs of certain activities. To fill this gap and provide improved performance, 
there are multiple satellite constellations orbiting the Earth. These networks are 
responsible for, among other things, allowing people in remote locations to access the 
Internet, helping vessels and aircraft operate safely, and providing the military and 
emergency services with critical communication links during armed conflicts or natural 
disasters. 

Sectors that commonly rely on satellite networks include: 

• Aerospace 
. Maritime 

. Military/Governments 

• Emergency services 

. Industrial (oil rigs, gas, electricity) 

• Media 

Types of SATCOM Infrastructure 

SATCOM infrastructure can be divided into two major segments, space and ground. 
Space includes those elements needed to deploy, maintain, track, and control a 
satellite. Ground includes the infrastructure required to access a satellite repeater 
from Earth station terminals. 

Earth station terminals encompass the equipment located both on the ground and on 
airplanes and ships; therefore, this segment includes air and sea. This specific portion 
of the ground segment was the focus of our research. iOActive's goal was to provide 
an initial evaluation of the security posture of the most widely deployed Inmarsat and 
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Iridium SATCOM terminals. We analyzed devices used to access the following 
services: 

Inmarsat-C 

This maritime communication system provides ship-to-shore, shore-to-ship, and 
ship-to-ship services. Its store-and-forward capabilities make possible to use it for 
telex, fax, data or email. It is a key part of the Global Maritime Distress and Safety 
System (GMDSS), an internationally agreed-upon set of procedures, types of 
equipment, and communication protocols intended to increase safety and ensure a 
rapid and automated response from authorities and emergency services in the 
event of a marine distress. The international convention for Safety of Life at Sea 
(SOLAS) makes GMDSS-compliant equipment mandatory on all merchant vessels 
with more than 300 Gross Tonnage (GRT). 

VSAT 

Very Small Aperture Terminal (VSAT) systems use satellite transponders, usually 
operating at C-band and Ku-band, to transmit data, video or voice. 

BGAN 

Broadband Global Area Network (BGAN) is a global Satellite Internet and voice 
network. Built-in security options make this service suitable for military operations. 

BGAN M2M 

This global, two-way IP data service is designed for long-term machine-to-machine 
(M2M) management of fixed assets. It is popular in the Industrial Control Systems 
(ICS) sector as well as for SCADA applications. 

FB 

FleetBroadband (FB) is an IP-based, broadband data and voice maritime satellite 
system used for operational and crew communications. Modern navigation systems 
installed on ships, such as Electronic Chart Display and Information System 
(ECDIS), may rely on the data connection provided by this service to operate 
properly. An ECDIS is a computer-based navigation information system that 
complies with International Maritime Organization (IMO) regulations and can be 
used as an alternative to paper nautical charts . 

SwiftBroadband 

This is an IP-based broadband data and voice aeronautical satellite system. It has 
been approved by the International Civil Aviation Organization (ICAO) for aircraft 
safety services, playing an important role within the Future Air Navigation Systems 
(FANS). 

Classic Aero Service 

This is an aeronautical satellite communication system intended for voice, fax, and 
data. It includes the following services: 

. Aero H Multi-channel voice, 10.5kbps fax and data, delivered via a high- 
gain antenna within the satellites' global beams. ICAO approved for 
safety services. 
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. Aero H+ Multi-channel voice, 1 0.5kbps fax and data, delivered via a 
high-gain antenna within the spot beams of the lnmarsat-3 satellites and 
the full footprint of the lnmarsat-4 Atlantic Ocean Region (AOR) satellite, 
at a lower cost per connection. ICAO approved for safety services. 

. Aero I Multi-channel voice, 4.8kbps circuit-mode data and fax, delivered 
via an intermediate-gain antenna. Also supports low-speed packet data. 
Available in the spot beams of the lnmarsat-3 satellites and the full 
footprint of the lnmarsat-4 AOR satellite. ICAO approved for safety 
services. 

. Mini i\1 Aero Single-channel voice, fax or 2400bps data, for general 
aviation and smaller corporate aircraft. 

Scope of Study 

Due to multiple constraints of our initial research scope, it was not feasible to acquire 
each target device. In most cases, lOActive conducted this research without physical 
access to the actual equipment. Instead, we performed static firmware analysis by 
reverse engineering all of the devices. Our research was not intended to stress the 
software in search of common memory corruptions, but rather to understand the 
devices' native security strengths and weaknesses. 

lOActive found that all devices within the scope of this research could be abused by a 
malicious actor. The vulnerabilities we uncovered what would appear to be multiple 
backdoors, hardcoded credentials, undocumented and/or insecure protocols, and 
weak encryption algorithms. These vulnerabilities allow remote, unauthenticated 
attackers to compromise the affected products. In certain cases no user interaction is 
required to exploit the vulnerability; just sending a simple SMS or specially crafted 
message from one ship to another ship would be successful for some of the SATCOM 
systems. 

In addition to design flaws, lOActive also uncovered deliberately introduced features in 
the devices that clearly pose security risks. 

lOActive researchers continue to work with CERT Coordination Center and SATCOM 
vendors to help mitigate these vulnerabilities. All technical details, including the 
disassembled code, are provided to the appropriate affected entities to help verify 
findings and progress remediation. This document explains how attackers could 
leverage these vulnerabilities to perform different kinds of attacks. Every scenario is 
based on vendor-provided documentation as well as real-world deployments. 
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Table 1: Summary of Vulnerabilities 



Vendor Product 



Vulnerability Class Service Severity 



RF-7800-VU024 
RF-7800-DU024 



Hardcoded Credentials 
Undocumented Protocols 
Insecure Protocols 
Backdoors 



BGAN 



Critical 



i hushes' 

'a • 

9201/9202/9450/9502 



Hardcoded Credentials 
Undocumented Protocols 
Insecure Protocols 
Backdoors 



BGAN 
BGAN M2M 



Critical 



ThurayalP 



Hardcoded Credentials 
Insecure Protocols 
Undocumented Protocols 
Backdoors 



Thuraya 
Broadband 



Critical 



^ )J> 

EXPLORER (all versions) 



Weak Password Reset 
Insecure Protocols 



BGAN 



Critical 



SAILOR 900 VSAT 



Weak Password Reset 
Insecure Protocols 
Hardcoded Credentials 



VSAT 



Critical 



Cobha 



AVIATOR 700 (E/D) 



Backdoors 

Weak Password Reset 
Insecure Protocols 
Hardcoded credentials 



SwiftBroadband 
Classic Aero 



me/ 

SAILOR FB 150/250/500 



Weak Password Reset 
Insecure Protocols 



FB 



Critical 



Critical 



Cobha 




I 

SAILOR 6000 Series 



Insecure Protocols 
Hardcoded Credentials 



Inmarsat-C 




Critical 



JUE-250/500 FB 



Hardcoded Credentials 
Insecure Protocols 
Undocumented Protocols 
Backdoors 



FB 



Critical 



Hardcoded Credentials 
Undocumented Protocols 



Iridium 



Pilot/OpenPort 



Critical 
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Impact 

Table 1 summarizes the types of vulnerabilities lOActive uncovered during this 
research phase. The threats posed by these vulnerabilities deserve calm, measured 
analysis. That said, from a technical perspective, it is not wise for commercial entities 
to downplay the severity of the risks to businesses dependent upon the integrity and 
secrecy of such communications. As explained in the introduction, some of the 
services these products access are critical from a safety perspective. As such, it is 
important to define what exploits can and cannot be launched using the products' 
weaknesses. 

Vulnerability Classes 

Backdoors 

Mechanisms used to access undocumented features or interfaces not intended for 
end users. 

Hardcoded Credentials 

Undocumented credentials that can be used to authenticate in documented interfaces 
expected to be available for user interaction. 

Insecure Protocols 

Documented protocols that pose a security risk. 
Undocumented Protocols 

Undocumented protocols, or protocols not intended for end users, that pose a security 
risk. 

Weak Password Reset 

Mechanism that allows resetting other's passwords. 
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Attack Scenarios Against Harris BGAN Terminals 




Figure 1 : Land Portable and Land Mobile Harris BGAN Terminals 



Both land portable and land mobile Harris BGAN terminals are intended for use by the 
military sector. The main purpose of these terminals, such as the RF-7800B, is to 
provide enhanced tactical radio network capabilities. They are used in conjunction 
with software-defined radios (SDRs), such as the FALCON III® AN/PRC-1 17G SDR 
shown in Figure 2. 




Figure 2: AN/PRC- 1 1 7G SDR 

When the RF-7800B BGAN terminal is combined with the AN/PRC-1 17G SDR, the 
terminal operates simultaneously with the ANW2 waveform, providing beyond-line-of- 
sight (BLOS) communications. The system provides range extension of ANW2 
networked data. 

Harris' documentation contains a practical example: 

For example, consider an attack on a convoy in the mountains. Such an event requires an 
immediate reaction from many different units. Previously, this response was pieced 
together through fragmented systems. 

By leveraging a network of AN/PRC- 11 7G radios, commanders would be able to launch 
and coordinate an immediate response using some or all of the following applications: 

• Streaming video: Commanders would be able to analyze reconnaissance feeds 
from cameras, both on the ground and in their air, to plan their response. 

. Legacy interoperability: Quick Reaction Force teams would be able to call for 
close-air support for a counter attack. 

. Text messaging: Convoy personnel would be able to send details via text 
messaging, limiting confusion and removing traffic from voice networks. 

• Satellite communications: The radio will support reach-back capability through 
satellite communications to connect warfighters to brigade headquarters. " 



Copyright ©2014, 10 Active Inc. [9] 



This example matches Harris' tactical schema, shown in Figure 3. 
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Figure 3: Harris' Tactical Sctiema 

The vulnerabilities lOActive found in the RF-7800B terminal allow an attacker to install 
malicious firmware or execute arbitrary code. A potential real-world attack could occur 
as follows: 



1 . By exploiting the vulnerabilities listed in Table 1 , an attacker injects malicious 
code into the terminal. Malware running on an infected laptop connected to the 
terminal, as shown in Figure 4, could deploy this payload. 
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UND MOBILE TERMINAL 

1!mi<*«i-10 BGAN VEHICULAR POV/ER ADAPTER 




Figure 4: System Components, Including Laptop 



2. The malicious code uses the built-in GPS to obtain the coordinates where the 
system is located. This would allow the attacker to compare the system's 
position with a fixed area (target zone) where an attack from enemy forces is 
planned. 

3. If a Packet Data Protocol (PDP) context is detected or the system enters the 
target zone, the malicious code disables communications or even damages 
the terminal. 

4. The ability of the victims to communicate vital data or ask for support to 
perform a counter-attack is limited or even cut off. In the worst-case scenario, 
loss of lives is possible. 

This kind of equipment is common within the forces of the North Atlantic Treaty 
Organization (NATO). 
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Attack Scenarios Against Hughes BGAN M2M Terminals 
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Figure 5: Hughes 9502 BGAN M2M Antenna and Indoor Unit 

According to Hughes' BGAN M2M Operational Scenarios document , the satellite user 
terminal (UT) can be controlled remotely via SMS messages or AT commands as 
shown in Figure 6 and Figure 7. 
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Figure 6: Remote Control of the Hughes BGAN M2M UT via SMS 
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Figure 7: Remote Control of the HUGHES BGAN M2M UT via AT Commands 
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As Figure 7 illustrates, AT commands can be sent using Smart Terminal Equipment 
(TE) controlled via the IP pipe over the PDP context. 

The following two scenarios describe how an attacker could compromise the UT by 
exploiting the vulnerabilities listed in Table 1. 

Scenario One 

An attacker with access to the Smart TE, either directly or via malware, could 
exploit the 'admin code' backdoor when 'Enhanced Security' is activated. The 
attacker could also leverage the undocumented 'Zing' protocol. 

Scenario Two 

An attacker already knows the Mobile Subscriber Integrated Services Digital 
Network-Number (MSISDN) and International Mobile Station Equipment Identity 
(IMEI) of the UT. By generating the backdoor 'admin code', an attacker can send 
an SMS containing an encapsulated AT command to install malicious firmware. 

According Inmarsat's Channel Sales presentation , the Hughes 9502 BGAN M2M is 
deployed in six target markets, shown in Figure 8. 
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Figure 8: Hughes BGAN M2M Target Market Overview 



A successful attack against Hughes BGAN M2M terminals can have the following 
impacts: 

• Fraud 

Denial of service 
. Physical damage 
. Data spoofing 
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Attack Scenarios Against Cobham BGAN Terminals 

More than two-thirds of the Inmarsat satellite terminals currently in use belong to the 
Explorer family, manufactured by Cobham (formerly Thrane & Thrane). An attacker 
can take complete control of these devices by exploiting a weakness in their 
authentication mechanism using either direct access or scripted attacks (malware). 

Cobham Explorer terminals are deployed in multiple sectors. Attacks against these 
communication devices would have different impacts depending on the specific 
application. The following images below come from the documentation that vendors 
and integrators provide to illustrate case studies. 




Figure 9: Military Use 




Figure 10: Emergency Services and Field Operations 
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Figure 11: Life Saving Equipment 




Figure 12: Personal Communications for tlie Military 

Scenario: Personal Communications for ttie Miiitary as Attack Vector 

Historically, tracking the position of military units has provided the adversary with 
vital information about the units' objectives and tactical approach. If a member of a 
unit was targeted with a client-side exploit while browsing the Internet during 
personal communications time, an attacker would be able to install malicious 
firmware in the terminal. The attacker's code could then take advantage of the 
terminals' built-in GPS receiver to leak its position in real-time. 

There have been significant examples of this kind of exposure: 

. US Army: Geotagged Facebook posts put soldiers' at risk 

. The Israeli military cancelled a planned raid on a Palestinian village after 
one of its soldiers posted details of the operation on Facebook 
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Attack Scenarios Against Marine VSAT and FB Terminals 
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Figure 13: Cobham SAILOR 900 VSAT and JRC JUE-250 FB Terminals 

The Cobham SAILOR 900 VSAT, Cobham Sailor FB and JRC JUE-250/500 FB 
terminals are both deployed on ships as part of a satellite communication system or 
an Inmarsat FB system, as shown in Figure 14. 
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Figure 14: Inmarsat FB System 

Numerous services use the satellite link: 

Telephone, ISDN, SMS, and VoIP 
Broadband Internet 
Email and file transfer 
Multi-voice 
Video conferencing 
Safety 505 and red button 
Notice to mariners 
Maritime/port regulations 
ECDIS 

Vessel routing 
Cargo management 
Planned/Predictive maintenance 
Radio over IP (RolP) via walkie-talkie 
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. VHF/UHF radio integration 

. Crew welfare 

. Telemedicine 

. Tele-training/certification 

• Weatlner forecasts 

Compromising one of these terminals would give an attacker full control over all of the 
communications that pass through the satellite link. 

Scenario One: Navigation Ctiarts 

The vulnerabilities in these terminals make attacks that disrupt or spoof information 
consumed by the on-board navigations systems, such as ECDIS, technically 
possible, since navigation charts can be updated in real time via satellite. 

Scenario Two: Operational integrity 

The ability to control the satellite link of a vessel can be used to put the operational 
integrity of cargo vessels at risk. SATCOM links are often used to track the status 
and condition of container ships while in transit. This is especially important when 
transporting sensitive goods such as munitions or hazardous chemical products. 
The operational information enables the cargo's owner to take proper action and 
address any potential situation. 
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Attack Scenarios Against Cobham AVIATOR 

The Cobham AVIATOR family is designed to meet the satellite communications needs 
of aircraft, including those related to safety operations. Figure 15 illustrates a US 
military aircraft equipped with this product. 




Figure 15: US Air Force C-130J Super Hercules 



Aircraft safety is highly dependent on the redundancy and accuracy of on-board 
systems. When it comes to aircraft, software security is not an added value but a 
mandatory requirement. International certification authorities provide a series of 
standards which represent the industry consensus opinion on the best way to ensure 
safe software, such as the Radio Technical Commission for Aeronautics (RTCA) 
specification DO-178B or the European Organization for Civil Aviation Equipment 
(EUROCAE) ED-12B 

These regulatory standards define five levels of failure conditions, categorized by their 
effects on the aircraft, crew, and passengers: 

Level A-Catastrophic 

Failure may cause multiple fatalities, usually with loss of the airplane. 
Level B-Hazardous 

Failure has a large negative impact on safety or performance, reduces the ability of 
the crew to operate the aircraft due to physical distress or a higher workload, or 
causes serious or fatal injuries among the passengers. 

Level C- Major 

Failure significantly reduces the safety margin or significantly increases crew 
workload. May result in passenger discomfort (or even minor injuries). 
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Level D-Minor 

Failure slightly reduces the safety margin or slightly increases crew workload. 
Examples might include causing passenger inconvenience or a routine flight plan 
change. 

Level E-No Effect 

Failure has no impact on safety, aircraft operation, or crew workload. 

Software approved to levels A, B, or C requires strong certification involving formal 
processes for verification and traceability. Software approved to levels D or E is 
subject to a more 'relaxed' control. 

Although the failure condition levels are intended to cover not only the software as a 
standalone entity, but also as part of a more complex system, some claim that there is 
room for improvement. The main concerns seem to be related to interactions between 
equipment at different levels. 

lOActive was able to demonstrate that it is possible to compromise a system certified 
for level D that interacts with devices certified for level A, potentially putting the level A 
devices' integrity at risk. 

The AVIATOR 700 system is available in two versions: 

. AVIATOR 700 approved to RTCA specification DO-1 78B level E and DO- 
254 level E 

. AVIATOR 700D approved to RTCA specification DO-1 78B level D and DO- 
254 level D 
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Figure 16: AVIATOR 700 System Interactions 
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Both versions of the AVIATOR 700 operate in complex systems with multiple 
interfaces to other systems on board; however, only the AVIATOR 700D level D is 
approved for safety purposes. 

The vulnerabilities listed in Table 1 could allow an attacker to take control of both the 
SwiftBroadband Unit (SBU) and the Satellite Data Unit (SDU), which provides Aero- 
H+ and Swift64 services. lOActive found vulnerabilities an attacker could use to 
bypass authorization mechanisms in order to access interfaces that may allow control 
of the SBU and SDU. Any of the systems connected to these elements, such as the 
Multifunction Control Display Unit (MCDU), could be impacted by a successful attack. 
More specifically, a successful attack could compromise control of the satellite link 
channel used by the Future Air Navigation System ( FANS) , Controller Pilot Data Link 
Communications (CPDLC) or Aircraft Communications Addressing and Reporting 
System (ACARS). A malfunction of these subsystems could pose a safety threat for 
the entire aircraft. 
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Figure 17: The SDU (Level D) Interacts with 
the MCDU ( Level A Component Present in the Cockpit) 
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Attack Scenarios Against Cobham GMDSS Terminals 

GMDSS was briefly discussed in the description of Inmarsat-C services. The complete 
GMDSS regulation is defined in Chapter IV of the SOLAS convention. Under this 
international agreement, every GMDSS-equipped ship, while at sea, must be capable 
of: 

. Transmitting ship-to-shore distress alerts by at least two separate and 
independent means, each using a different radio communication service 

. Receiving shore-to-ship distress alerts 

. Transmitting and receiving ship-to-ship distress alerts 

. Transmitting and receiving search and rescue coordinating communications 

. Transmitting and receiving on-scene communications 

. Transmitting and, as required by regulation V/1 9.2.3.2, receiving signals for 
locating 

. Transmitting and receiving maritime safety information 

• Transmitting and receiving general radio communications to and from shore- 
based radio systems or networks subject to regulation 15.8 

. Transmitting and receiving bridge-to-bridge communications 

SOLAS establishes the type of radio communications systems that a ship needs, in 
order to be GMDSS compliant. This requirement depends on the ship's area of 
operation as illustrated in Figure 18. 




Figure 18: Sea Areas for GMDSS Communication Systems 
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There are four sea areas: 



. A1 An area within the radio telephone coverage of at least one VHF coast 
station in which continuous DSC alerting is available (20-30 nautical miles) 

. A2 An area, excluding the previous one, within the radio telephone 

coverage of at least one MF coast station in which continuous DSC alerting 
is available (approximately 100/150 nautical miles). 

. A3 An area, excluding A1 and A2, within the coverage of an Inmarsat 
geostationary satellite in which continuous alerting is available. 

. A4 An area outside sea areas A1 , A2, and A3. 

Cobham SAILOR 6000 is a GMDSS-compliant communications suite which provides 
the equipment specified by SOLAS. 

The basic equipment includes: 

. A VHF radio 

. One SART if under 500 GRT, 2 SARTs if over 500 GRT 

. Two portable VHF transceivers for use in survival craft if under 500 GRT, 
three if over 500 GRT 

. A NAVTEX receiver, if the ship is engaged on voyages in any area where a 
NAVTEX service is provided 

. An Inmarsat Enhanced Group Call (EGC) receiver, if the ship is engaged on 
voyages in any area of Inmarsat coverage where Marine Safety Information 
(MSI) services are not provided by NAVTEX or HF NBDP 

• A 406 MHz Emergency Position-Indicating Radio Beacon (EPIRB) 

Additional equipment includes: 

630x MF/HF Control Unit 
62xx VHF Radio 

630x MF/HF Control Unit 
62xx VHF Radio 
H1252B USB/Parallel Printer 
6006 Message Terminal 
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lOActive found that the insecure 'thraneLINK' protocol could be leveraged to 
compromise the entire SAILOR 6000 communications suite, posing a critical threat to 
the ship's safety. An attacker can install malicious firmware in order to control devices, 
spoof data, or disrupt communications. 

The Ship Security Alert System (SSAS) is also impacted by the vulnerabilities 
lOActive discovered in the Inmarsat Mini-C terminal. 

The SSAS is part of the International Ship and Port Facility 
Security (ISPS) code and contributes to the IMO's efforts to 
strengthen maritime security and suppress acts of terrorism and 
piracy. In case of attempted piracy or terrorism, the ship's SSAS 
beacon can be activated and appropriate law-enforcement or 
military forces will be dispatched. Once a SSAS alert has been 
triggered, the following protocol is applied: 

• Rescue Coordination Centers or SAR Points of Contact for the country code 
the beacon is transmitting are discreetly notified. 

. National authorities dispatch appropriate forces to deal with the terrorist or 
pirate threat. 

As a result of the security flaws listed in Table 1 , an attacker can remotely disable the 
SSAS by sending a series of specially crafted messages to the target ship. No user 
interaction is required. 

An attacker successfully exploiting any of the SSAS and GMDSS vulnerabilities may 
be able to: 

Provide false information to trick crew into altering routes 

Spoof or delete incoming communications such as Distress calls from other 
ships, weather warnings, or any other EGC message 

. Render devices unusable, effectively disrupting communications and leaving 
a vessel without the ability to interact with the outside world 

. Remotely disable safety systems before attacking a ship 

. In the worst-case scenario, loss of lives is possible. 
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Conclusion 

Considering tlie sectors wliere tliese products are deployed and tlie affected vendors, 
tine specific nature of tlie vulnerabilities lOActive uncovered is of great concern. 

Coordinated disclosure is a basic principle of security research, particularly in such 
high-stakes cases. With the help of the CERT Coordination Center, lOActive initiated 
the process to alert the affected companies about the issues we had uncovered. 
Unfortunately, except for Iridium, the vendors did not engage in addressing this 
situation. They did not respond to a series of requests sent by the CERT Coordination 
Center and/or its partners. 

The current status of the products lOActive analyzed makes it almost impossible to 
guarantee the integrity of thousands of SATCOM devices. Appropriate action to 
mitigate these vulnerabilities should be taken. Owners and providers should evaluate 
the network exposure of these devices, implement secure policies, enforce network 
segmentation, and apply restrictive traffic flow templates (TFT) when possible. Until 
patches are available, vendors should provide official workarounds in addition to 
recommended configurations in order to minimize the risk these vulnerabilities pose. 

If one of these affected devices can be compromised, the entire SATCOM 
infrastructure could be at risk. Ships, aircraft, military personnel, emergency services, 
media services, and industrial facilities (oil rigs, gas pipelines, water treatment plants, 
wind turbines, substations, etc.) could all be impacted by these vulnerabilities. 

The results of lOActive's research should be a wake-up call for both the vendors and 
users of the current generation of SATCOM technology. 
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